我可以直接通过 启动apache httpd
,但无法通过 启动它systemctl start httpd
。我更喜欢守护程序方法,这样我就可以让它自动启动。
有人遇到这个问题吗?这是在新的 CentOS7 虚拟机上。
systemctl启动http
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.
systemctl 状态 httpd.service
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Tue 2018-03-20 17:20:54 EDT; 37s ago
Docs: man:httpd(8)
man:apachectl(8)
Process: 7025 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=1/FAILURE)
Process: 7024 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
Main PID: 7024 (code=exited, status=1/FAILURE)
Mar 20 17:20:54 test.local.com systemd[1]: Starting The Apache HTTP Server...
Mar 20 17:20:54 test.local.com systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
Mar 20 17:20:54 test.local.com kill[7025]: kill: cannot find process ""
Mar 20 17:20:54 test.local.com systemd[1]: httpd.service: control process exited, code=exited status=1
Mar 20 17:20:54 test.local.com systemd[1]: Failed to start The Apache HTTP Server.
Mar 20 17:20:54 test.local.com systemd[1]: Unit httpd.service entered failed state.
Mar 20 17:20:54 test.local.com systemd[1]: httpd.service failed.
日志控制-xe
/etc/httpd/logs/error_log
对默认配置所做的唯一更改:
/etc/httpd/conf/httpd.conf
IncludeOptional sites-enabled/*.conf
/etc/httpd/sites-enabled/local.com.conf
<VirtualHost *:80>
ServerName test.local.com
ServerAlias local.com
Redirect / https://local.com
</VirtualHost>
<VirtualHost _default_:443>
ServerName test.local.com
ServerAlias local.com
ServerAdmin [email protected]
DocumentRoot /var/www/local.com/public_html
ErrorLog /var/www/local.com/error.log
CustomLog /var/www/local.com/access.log common
SSLEngine On
SSLCertificateFile /etc/ssl/certs/www/local.com.crt
SSLCertificateKeyFile /etc/ssl/certs/www/local.com.key
</VirtualHost>
仅开放端口:
firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --zone=public --add-port=443/tcp --permanent
firewall-dmc --reload
以下是我在全新 CentOS7 安装中完成的整个过程:
Fresh CentOS 7 installation (VM)
yum upgrade -y
yum search http
yum install -y httpd httpd-devel mod_ssl openssl
systemctl start httpd
firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --zone=public --add-port=443/tcp --permanent
firewall-cmd --reload
Browse to 192.168.1.241
Apache is live!
yum search mariadb
yum install -y mariadb-server
systemctl start mariadb
mysql_secure_installation
mysql -uroot -p
Login to mysql server works!
yum search php
yum install -y php php-cli php-dba php-devel php-fpm php-mysql php-process php-pspell php-xml
systemctl restart httpd
Browse to 192.168.1.241/info.php
PHP is live!
mkdir /etc/httpd/sites-enabled
echo "IncludeOptional sites-enabled/*.conf" >> /etc/httpd/conf/httpd.conf
/etc/httpd/sites-enabled/local.com.conf
<VirtualHost *:80>
ServerName test.local.com
ServerAlias local.com
Redirect permenent / https://local.com
</VirtualHost>
<VirtualHost _default_:443>
ServerName test.local.com
ServerAlias local.com
ServerAdmin [email protected]
DocumentRoot /var/www/local.com/public_html
ErrorLog /var/www/local.com/error.log
CustomLog /var/www/local.com/access.log combined
SSLEngine On
SSLCertificateFile /etc/ssl/certs/www/local.com.crt
SSLCertificateKeyFile /etc/ssl/certs/www/local.com.key
</VirtualHost>
mkdir -p /var/www/local.com/public_html
chown -R apache:apache /var/www/local.com/public_html
chmod -R 755 /var/www
cd /etc/ssl/certs/www
openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout local.com.key -out local.com.crt
Browse to 192.168.1.241
Unsecure service (self signed ssl) accept
Site is live!
I was redirected to https://local.com
NOTE: I added the following to my desktop's (separate PC) /etc/hosts
192.168.1.241 test.local.com local.com
This acts as a DNS record for my site
yum install -y epel-release
yum install -y phpmyadmin
edit /etc/httpd/conf.d/phpMyAdmin.conf
Add under any line with Require ip 127.0.0.1 with
Require ip 192.168.1.5
Add under any line with Allow from 127.0.0.1 with
Allow from 192.168.1.5
systemctl restart httpd # FAILS
kill pid for httpd
httpd # start httpd directly
Access https://local.com/phpMyAdmin
Now have access to phpMyAdmin
Login with root, 12345
And have mariadb access!
yum install -y awstats
edit /etc/httpd/conf.d/awstats.conf
Change Require ip and Allow ip same as phpMyAdmin
cp /etc/awstats/awstats.localhost.localdomain.conf /etc/awstats/awstats.local.com.conf
edit /etc/awstats/awstats.local.com.conf
LogFile="/var/log/httpd/access.log"
SiteDomain="www.local.com"
HostAliases="local.com 127.0.0.1"
echo "*/30 * * * * root /usr/share/awstats/wwwroot/cgi-bin/awstats.pl -config=www.local.com -update" >> /etc/crontab
kill httpd pid
httpd
Browse to https://local.com/awstats/awstats.pl?config=local.com
Awstats is live!
答案1
您在使用 SELinux 时遇到了麻烦。
出于安全原因,CentOS 7 发布的规则将阻止 httpd 写入 下的文件/var/www
。
您正在将 VirtualHost 的日志文件配置为位于该目录下的某个位置:
ErrorLog /var/www/local.com/error.log
CustomLog /var/www/local.com/access.log combined
因此,当 httpd(由 systemd 启动)尝试写入这些日志文件时,SELinux 将阻止这种情况,最终导致 httpd 退出并显示错误退出代码。
您可以使用以下命令进行确认ausearch
,该命令检查审核日志(存储在 下/var/log/audit/audit.log
)中的条目:
$ sudo ausearch -m avc
type=AVC msg=audit(1234567890.123:234): avc: denied { write } for pid=12345 comm="httpd" name="local.com" dev="sda1" ino=12345678 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir
在此消息中,您将看到写入的目标标有httpd_sys_content_t
。如果您ls -Z
在日志文件上使用,您会看到它们以这种方式标记:
$ ls -Z /var/www/local.com/
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 access.log
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 error.log
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 public_html
这只影响由 systemd 启动的 httpd 而不是直接运行 httpd 时的原因是你的 SSH 会话在“无限制”域中运行,因此在那里运行 httpd 不会触发任何 SELinux 转换...当通过 systemd 启动时,它会在启动守护进程时应用正确的 SELinux 权限。
chcon
您可以通过使用命令更改这些文件的 SELinux“类型”来临时解决这个问题:
$ sudo chcon -t httpd_log_t /var/www/local.com/*.log
$ ls -Z /var/www/local.com/
-rw-r--r--. root root unconfined_u:object_r:httpd_log_t:s0 access.log
-rw-r--r--. root root unconfined_u:object_r:httpd_log_t:s0 error.log
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 public_html
到那时,通过 systemctl 启动 httpd 就可以正常工作了......
但这不是一个很好的解决方案,因为如果重新创建这些文件(例如,在日志轮换期间)或者您的文件系统被重新标记,SELinux 类型将会丢失......
有一些方法可以使该类型更持久(例如,命令semanage fcontext
),但是 SELinux 策略在这里试图实现的是防止将 Web 内容与日志混合,以防止意外提供日志文件或覆盖 Web 内容。
/var/log/httpd
正确的答案是在、 或该目录的子目录下创建日志文件。如果这样做,SELinux 类型从一开始就是正确的,并且在任何操作(包括 SELinux 重新标签)中都将保持正确,并且一切都应该按预期工作。
因此,如果您可以将日志放在下面/var/log/httpd
,那应该可以解决这个问题!